US recovers $600K from Ledger phishing ring targeting hardware wallet users with fake security updates

U.S. authorities have seized more than $600,000 in cryptocurrency linked to a Ledger phishing scam that targeted a hardware wallet user through a deceptive physical mail campaign.

The case, announced by the U.S. Department of Justice, stems from a 2025 incident in which a Connecticut resident was tricked into compromising their wallet security, allowing attackers to steal digital assets. The recovery effort underscores both the traceability of blockchain transactions and the evolving tactics used in crypto-related fraud.

What happened in the Ledger phishing scam

According to federal prosecutors, the Ledger phishing scam began when a victim received a letter appearing to come from “Ledger Security & Compliance.” The message instructed the recipient to perform a mandatory security update on their hardware wallet.

Instead, the instructions led the victim to unknowingly expose their wallet’s recovery phrase effectively granting attackers full access to the funds. Approximately $234,000 in cryptocurrency was initially stolen through the Ledger phishing scam, authorities said.

The attackers later moved the funds across multiple wallets and converted them into the stablecoin Tether in an attempt to obscure the trail.

How the Ledger phishing scam worked

The Ledger phishing scam relied on social engineering rather than technical hacking. By impersonating a trusted hardware wallet provider, attackers exploited user trust and created a sense of urgency.

Unlike typical email phishing, this case involved physical mail—an approach that cybersecurity experts say is becoming more common. Fraudulent letters often include QR codes or links directing users to fake websites designed to capture sensitive information.

Once victims enter their recovery phrase, attackers can immediately access and transfer funds. Because hardware wallets rely on this phrase as the ultimate key, its exposure renders all other security measures ineffective.

Authorities’ response and seized funds

Investigators from the FBI and state law enforcement traced the stolen funds through blockchain transactions, eventually identifying over $600,000 in Tether linked to the Ledger phishing scam.

Authorities filed a civil forfeiture complaint, and a U.S. court approved the seizure, transferring the funds to government control. Officials said the recovered assets may be returned to the victim following legal procedures.

The case demonstrates how blockchain transparency can aid law enforcement. Even when funds are moved across multiple wallets, transaction records remain publicly traceable.

What this means for crypto users

The Ledger phishing scam highlights a critical vulnerability in crypto security: human error. While hardware wallets are designed to provide strong protection, they cannot prevent users from voluntarily revealing sensitive information.

Similar scams have targeted users of other wallet providers, often leveraging data from past breaches to personalize attacks.

Regulators and law enforcement agencies continue to warn that phishing remains one of the most common threats in the crypto ecosystem. The Ledger phishing scam reinforces the importance of verifying communications and avoiding any request for recovery phrases or private keys.